Xinhu Rainrock RockOA SQL Injection Vulnerability in Login Action API

A SQL injection vulnerability has been identified in Xinhu Rainrock RockOA version 2.7.0. The issue resides in the 'setwxqyAction' method of 'webmain/task/api/loginAction.php'. This vulnerability allows attackers to inject malicious SQL through the 'shouji' and 'userid' parameters, which must be Base64 encoded. Exploitation of this vulnerability could lead to the extraction of sensitive information from the database, including administrator accounts, password hashes, database structure, and other critical data.

Impact

Exploitation of this vulnerability could result in the unauthorized extraction of database information, including administrator accounts, password hashes, and potentially other sensitive data, leading to a complete database compromise.

Reproduction

To reproduce this vulnerability, send a request to 'http://target/api.php?m=login&a=setwxqy' with the 'shouji' and 'userid' parameters Base64 encoded. The 'shouji' parameter should contain a payload that exploits the SQL injection vulnerability, such as a time-based blind injection or a union query technique. The injected SQL code will be executed by the application, allowing for the extraction of sensitive information from the database.